Validation
Implementations MUST strictly validate all incoming data to ensure that it is well-formed and adheres to the Versia Protocol. If a request is invalid, the instance MUST return a 400 Bad Request
HTTP status code.
Remember that while your implementation may disallow or restrict some user input, other implementations may not. You should not apply those restrictions to data coming from other instances.
For example, if your implementation disallows using HTML in posts, you should not strip HTML from posts coming from other instances. You may choose to display them differently, but you should not modify the data itself.
Things that should be validated include, but are not limited to:
- The presence of all required fields.
- The format of all fields (integers should not be strings, dates should be in ISO 8601 format, etc.).
- The presence of all required headers.
- The presence of a valid signature.
- The length of all fields (for example, the
username
field on aUser
entity) should be at least 1 character long.- Do not set arbitrary limits on the length of fields that other instances may send you. For example, a
bio
field should not be limited to 160 characters, even if your own implementation has such a limit. - If you do set limits, they should be reasonable, well-documented and should allow Users to easily view the remote original, by, for example, linking to it.
- Do not set arbitrary limits on the length of fields that other instances may send you. For example, a
- The type, precision and scale of all numeric fields.
- For example, a
size
field on aContentFormat
structure should be a positive integer, not a negative number or a floating-point number.
- For example, a
All numeric fields in these docs have the appropriate precision (u64
, i64
, f32
, etc.) specified. As a rule of thumb, do not use a different type in memory than the one specified in the docs.
Using the same type with a higher bit count, for example using a u128 instead of a u64, is acceptable. Beware of performance impacts this may cause.
- The validity of all URLs and URIs (run them through your favorite URL parser, optionally fetch the linked URL).
- The time of all dates and times (people should not be born in the future, or in the year 0).
It is your implementation's duty to reject data from other instances that does not adhere to the strict spec. This is crucial to ensure the integrity of your instance and the network as a whole. Allowing data that is technically valid but semantically incorrect can lead to the degradation of the entire Versia ecosystem.